Privacy Policy
Last updated: March 20, 2026
Effective date: March 20, 2026
Frosa (“we”, “us”, “our”) operates createtodo, a web-based task management application available at createtodo.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service, in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
1. Data Controller
The data controller responsible for your personal data is:
Frosa Email: privacy@createtodo.com
For any data protection inquiries, please contact us at privacy@createtodo.com.
2. Personal Data We Collect
2.1 Account Data (collected at registration)
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address | Account identification, authentication (magic link), transactional emails | Contract performance (Art. 6(1)(b)) |
| Name | Display within the application | Contract performance (Art. 6(1)(b)) |
| Display name | Optional profile personalization | Consent (Art. 6(1)(a)) |
| Avatar / profile image URL | Optional profile personalization | Consent (Art. 6(1)(a)) |
| Timezone and week start preference | Application personalization | Contract performance (Art. 6(1)(b)) |
| Phone number | Optional contact field | Consent (Art. 6(1)(a)) |
2.2 Authentication Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| Session tokens | Maintaining authenticated sessions | Contract performance (Art. 6(1)(b)) |
| IP address | Session security, rate limiting, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| User agent string | Session security and device identification | Legitimate interest (Art. 6(1)(f)) |
| Passkey credentials (public key, credential ID, device type) | Passwordless authentication | Contract performance (Art. 6(1)(b)) |
| OAuth tokens (GitHub, Google) | Social sign-in | Consent (Art. 6(1)(a)) |
| Magic link verification tokens | Passwordless email authentication | Contract performance (Art. 6(1)(b)) |
2.3 User-Generated Content
| Data | Purpose | Lawful Basis |
|---|---|---|
| Todos/issues (title, description, priority, dates, estimates) | Core service functionality | Contract performance (Art. 6(1)(b)) |
| Comments on issues | Collaboration features | Contract performance (Art. 6(1)(b)) |
| Projects and lists | Task organization | Contract performance (Art. 6(1)(b)) |
| Labels and custom fields | Task categorization | Contract performance (Art. 6(1)(b)) |
| File attachments | AI chat file sharing | Contract performance (Art. 6(1)(b)) |
| AI chat messages | AI-assisted task management | Contract performance (Art. 6(1)(b)) |
2.4 Organization Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| Workspace name, slug, logo, description | Multi-tenant workspace management | Contract performance (Art. 6(1)(b)) |
| Team names, keys, settings | Team organization | Contract performance (Art. 6(1)(b)) |
| Member roles and invitation records | Access control | Contract performance (Art. 6(1)(b)) |
2.5 Technical and Usage Data
| Data | Purpose | Lawful Basis |
|---|---|---|
| Last seen timestamp | User presence and activity indicators | Legitimate interest (Art. 6(1)(f)) |
| Onboarding status | Guiding new users through setup | Contract performance (Art. 6(1)(b)) |
| Theme preference | UI personalization | Contract performance (Art. 6(1)(b)) |
2.6 Payment Data
Payment processing is handled entirely by our payment provider, Polar.sh. We do not store credit card numbers or banking details. Polar.sh may share with us: customer identifiers, subscription status, and billing events. See Polar.sh’s privacy policy for details.
3. How We Protect Your Data
3.1 Encryption at Rest
All personally identifiable information (name, email, display name, profile image URL) is encrypted at rest using AES-256-GCM with per-platform derived keys (HKDF-SHA256). Email addresses are additionally protected with HMAC-SHA256 blind indexes, meaning we can look up accounts without storing plaintext email addresses in the database.
3.2 Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
3.3 Access Control
- Row-level security (RLS) policies enforce that users can only access data within their own organization.
- Session-based authentication with secure, HTTP-only cookies.
- Rate limiting on sensitive endpoints (magic link sending and verification).
- Cloudflare Turnstile bot protection on authentication flows.
4. Sub-processors and Data Sharing
We use the following third-party sub-processors to deliver the Service:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Neon (Neon Inc.) | PostgreSQL database hosting | All application data (encrypted at rest) | United States |
| AWS (Amazon Web Services) | Application hosting, compute, CDN (CloudFront), static asset hosting (S3) | Application traffic, session data, IP addresses | United States (us-east-1) |
| ElectricSQL | Real-time data sync engine | Organization-scoped application data (read-only replication) | Self-hosted on AWS (us-east-1) |
| Loops (Loops Inc.) | Transactional email delivery and contact management | Email address, first name, user ID, user group | United States |
| Polar.sh (Polar Software Inc.) | Payment processing, subscriptions | Email, customer ID, subscription/billing data | European Union |
| xAI (xAI Corp.) | AI-powered chat assistant | Chat messages, task context within AI conversations | United States |
| Cloudflare (Cloudflare Inc.) | Bot protection (Turnstile), DNS | IP address, browser challenge tokens | Global (Anycast) |
| GitHub (Microsoft) | OAuth social sign-in | OAuth tokens, profile data (name, email, avatar) | United States |
| Google (Alphabet Inc.) | OAuth social sign-in | OAuth tokens, profile data (name, email, avatar) | United States |
We do not sell, rent, or trade your personal data to any third parties.
5. International Data Transfers
Our infrastructure is hosted in the United States. For users located in the European Economic Area (EEA), United Kingdom, or Switzerland, data transfers to the US are protected by:
- EU-U.S. Data Privacy Framework where applicable to our sub-processors (AWS, Google, Cloudflare).
- Standard Contractual Clauses (SCCs) as adopted by the European Commission, incorporated into our Data Processing Agreements with all US-based sub-processors.
- Supplementary technical measures including AES-256-GCM encryption at rest, TLS in transit, and HMAC-based blind indexing of email addresses, ensuring that even in the event of lawful access requests, personal data is protected by strong cryptographic measures.
6. Data Retention
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Active account data | Duration of account existence | Encrypted anonymization on deletion |
| Soft-deleted user accounts | 14 days after deletion request | Automated purge: PII replaced with anonymized encrypted placeholders, user record hard-deleted, sessions/accounts/passkeys deleted |
| Session data | Until session expiry or logout | Automatic deletion |
| Magic link verification tokens | Until expiry (typically minutes) | Automatic deletion |
| Invitation records | Until accepted, declined, or expired | Automatic deletion on expiry |
| User-generated content (todos, comments) | Duration of workspace existence | Available for export; deleted with workspace |
| AI chat messages and history | Duration of workspace existence | Deleted with workspace |
| Payment records | As required by tax/accounting law | Managed by Polar.sh per their retention policy |
| Server logs | 30 days | Automatic rotation |
When you delete your account, we:
- Immediately soft-delete your account, anonymize your workspace member records, and invalidate all sessions.
- You have a 14-day grace period during which you can sign back in and cancel the deletion.
- After 14 days, your name, email, and other PII are permanently erased and the user record is hard-deleted.
- Remove your contact data from our email provider (Loops).
- Content you authored (todos, comments) is preserved for workspace integrity, but attributed to “Former Member”.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — Update or correct your personal data via your profile settings.
- Right to erasure (Art. 17) — Delete your account, triggering our anonymization and purge process.
- Right to restrict processing (Art. 18) — Request that we limit processing of your data.
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — Object to processing based on legitimate interests.
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent (e.g., optional profile fields, marketing emails).
- Right to lodge a complaint — File a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@createtodo.com. We will respond within 30 days.
8. Cookies and Local Storage
createtodo uses:
- Session cookies (strictly necessary) — To maintain your authenticated session. These are secure, HTTP-only cookies set on
.createtodo.com. - Theme preference — Stored in your user profile (server-side), not as a client-side cookie.
- Local-first sync data — ElectricSQL may cache synced data in browser storage for offline functionality and performance.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
9. AI Features
The AI chat assistant in createtodo uses xAI’s API to process your messages. When you use the AI assistant:
- Your chat messages and relevant task context are sent to xAI’s servers for processing.
- AI-generated responses are stored in your workspace.
- xAI processes data under our Data Processing Agreement and does not use your data to train their models.
You can choose not to use the AI features. The core task management functionality works independently.
10. Children’s Privacy
createtodo is not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@createtodo.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will send an email notification to the address associated with your account.
12. Contact Us
For any questions about this Privacy Policy or our data practices:
Email: privacy@createtodo.com